Re: time sync from NTP in win 2003
- From: "DD" <darshan.diora@xxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Feb 2008 11:51:42 +0530
Thanx a Trillion , last thing how shall i rate these responses like any
online response survey if present ?
regards
darshan
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:%23DuLeCFdIHA.5984@xxxxxxxxxxxxxxxxxxxxxxx
Sorry if this post sounds like a "lecture", its intended to be
informative, not condescending or arrogant. A potential problem in
newsgroups is that one does not necessarily know the state of knowledge
and experience that the other posters (e.g. the one asking a question)
actually have, thus there is always the possibility of "insulting the
intelligence" of the seeker of knowledge!
I hope the following answers your questions and helps to understand how
the time synchronization functions in a Windows domain - at least my
understanding of available Microsoft documentation and my own experience.
As explained in the following quote from
http://technet2.microsoft.com/windowsserver/en/library/517e74d7-40e9-41bd-93aa-48b610b936321033.mspx?mfr=true
"domhier", with respect to member computers (domain controllers are
different), means synchronize time with ANY domain controller.
"By default, the computers on the network obtain the time from their
authenticating domain controller."
On any domain member computer, the Environment Variable called
"logonserver" holds the name of the "authenticating domain controller",
which is not necessarily the Domain Controller holding the PDC FSMO Role.
(The ommand - set logonserver - will report the name of the current
"authenticating domain controller").
Domain Controllers on the other hand, use a more complicated algorithm to
synchronize their time with a "reliable time source", which is, by
default, the Domain Controller with the PDC Emulator FSMO Role.
Apart from curiosity, which in itself is valuable, why are you concerned
about which Domain Controller the member computers use as the time source?
The default configuration on clients and Domain Controllers (except for
one, as explained below) normally works just fine. Here's a quote from
http://technet2.microsoft.com/windowsserver/en/library/b43a025f-cce2-4c82-b3ea-3b95d482db3a1033.mspx?mfr=true
"In most cases, it is not necessary to configure the Windows Time
service. "
For a more detailed explanation, take a look at
http://technet2.microsoft.com/windowsserver/en/library/b43a025f-cce2-4c82-b3ea-3b95d482db3a1033.mspx?mfr=true,
particularly the section "Windows Time Service Processes and
Interactions", which is about half way through the article. Here's a
quote from that section:
"As part of the time convergence process, domain members attempt to
synchronize time with any domain controller located in the same domain.
If the computer is a domain controller, it attempts to synchronize with a
more authoritative domain controller."
The diagram in the subsequent section ("Domain Hierarchy-Based
Synchronization") shows what the time synchronization hierarchy is. It
shows that a member server or member workstation can synchronize time with
ANY domain controller in their domain and will not necessarily synchronize
with the one holding the PDC Emulator FSMO role. As long as a Domain
Controller is set to be a "time source" (which all are by default), a
member server or workstation may synchronize time with any of them.
One Domain Controller should be configured to be the "most reliable time
source", quite often by manually configuring the one with the PDC Emulator
FSMO role to synchronize with an external time source and marking it as
"reliable" - see
http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true.
If you don't do this, you will get Event Log entries stating that there is
no "reliable" time source in the domain (at least on Windows Server 2008 -
System Event Log - Source Time-Service, Event ID 12). As stated earlier,
this does not make the Domain Controller holding the FSMO Role as the ONLY
source of time for member computers.
By default, the Domain Controller that has the PDC FSMO role is considered
the one with the "most reliable time source" and is thus used by other
Domain Controllers as the source of time. This can be changed manually.
See for example,
http://technet2.microsoft.com/windowsserver/en/library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx?mfr=true,
which suggests manually configuring a Domain Controller that does not hold
the PDC FSMO role as the the "most reliable time source" - see
http://technet2.microsoft.com/windowsserver/en/library/dd2ca576-2644-4b8c-9d3c-73802196ef9a1033.mspx?mfr=true
and
http://technet2.microsoft.com/windowsserver/en/library/4a63190b-c594-4d43-9195-e54e4cb89d251033.mspx?mfr=true.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"DD" <darshan.diora@xxxxxxxxxxxxxxxxx> wrote in message
news:u0j$mZgcIHA.5164@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Domain hier means First Parent DC, than ADC. and in my case all the 5
FSMO roles are with server A and server B has no roles with it.
This means that all menbers shall be taking their time from ServerA being
a PDC which doesen't happen . Also configured the server options in DHCP
|
time server as server A but still all members of the domain shows time
source as Server B. After removing ADS from server B all the client,
members shows
correct time source as Server A but after adding a new serverC as an ADC
all the clients take their time from ServerC despite it has not been
configured
anywhere to be a time source of my domain.Why is it so.
Regards
darshan
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:F1E42160-9273-4186-8EBE-AD1CC73A2603@xxxxxxxxxxxxxxxx
The default for domain members and Domain Controllers is to sync time
with the "Domain Hierarchy", not the Domain Controller with the PDC
Role. The page referenced by Marcin tells you how to set up the default
and the PDC emulator to use an external time source.
Which Domain Controller is used by clients is not usually important
because all of the Domain Controller routinely syncronize their time
amongst themselves, using the DC with the PDC emulator role as the
ultimate source of true time. With just two Domain Controllers, DC B
will sync time from DC A - the one with the PDC emulator role.
Just as which Domain Controller a particular computer uses for user
credential authentication is not deterministic, so is which Domain
Controller will be used as the source of time.
As long as:
1. the PDC emulator is configured to syncronize time from an "external
source"
(e.g. using the command w32tm /config /syncfromflags:manual
/manualpeerlist:time.nist.com /reliable:yes /update)
2.. the other Domain Controllers are configured to syncronize with the
"Domain Hierarchy" - which is the default
(can be set using the command w32tm /config /syncfromflags:domhier
/update)
3. the other member computers are configured to syncronize with the -
which is the default (same command as for 2.)
Your time syncronization should be in good shape. Except for doing 1.
normally there is no need to adjust the Windows Time Service
configuration - it just works - when a computer joins the domain, it is
configured to syncronize with the Domain Controllers ("Domain
Hierarchy").
If you really want (or need for some special reason) to force all your
domain members to specifically syncronize time with a particular Domain
Controller, you can do this using a GPO:
Computer Configuration
Administrative Templates
System
Windows Time Service
Enable Windows NTP Client
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"DD" <darshan.diora@xxxxxxxxxxxxxxxxx> wrote in message
news:OvS$q$KcIHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Tried all the possibilities as posted in the link but no success.
Whenever i shut down the server B which is an ADC the net time on any
clients shows correct
source as server A which is the parent DC but as soon i start the
ADC(serverB) it automatically shows the time source as ServerB. How can
i resolve this
as time source is actually Server A on which the time sync with
external program is running.
Regards
darshan
"Marcin" <marcin@xxxxxxxxxxxxxxxx> wrote in message
news:B57D1346-FE4F-4D76-A4A5-9DC1C2103DC7@xxxxxxxxxxxxxxxx
Darshan,
try steps outlined in the
http://technet2.microsoft.com/windowsserver/en/library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx?mfr=true
hth
Marcin
.
- References:
- time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- From: Marcin
- Re: time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- From: Bruce Sanderson
- Re: time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- From: Bruce Sanderson
- time sync from NTP in win 2003
- Prev by Date: Re: time sync from NTP in win 2003
- Next by Date: Re: Stale records on Active directory
- Previous by thread: Re: time sync from NTP in win 2003
- Next by thread: Set home users home folder in VBS or GPO
- Index(es):
Relevant Pages
|
